[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ISP and DNS port scanning!

> On Tue, Nov 18, 2003 at 10:50:02PM +0000, Antony Gelberg wrote:
 
> >Looks like a ping (ICMP type 8).  Where do you get port scanning from?
> >FWIW, I think that blocking pings via a firewall isn't recommended, but
> >not sure why.

Jon wrote:

> It does not provide any kind of security or protection what-so-ever,
> whilst removing the proper way of other people / you from elsewhere
> determining if your connection is working ok.

-- 
> Jon Dowland
> http://jon.dowland.name/

What you have all said still does not sync,  when I look at the Notes provided 
in my log I can see what you mean it is a type 8 icmp code 0. Or whatever you 
say that means, but the destination is another DNS server.

This is a line taken from my my log again.
11/18/2003 14:53:24     Firewall default policy: ICMP (W to W/ZW, type:8, 
code:0)         66.61.104.72    66.61.118.206   ACCESS BLOCK 14

Ok like I mentioned in my first post if I do a Arin Whois on address 
66.61.104.72 it tells me it is a DNS block.  When I do a Arin Whois on the 
destination 66.61.118.206 it is another DNS block, both happen to belong to 
my ISP but in different cities.  My cable modem action light is almost always 
solid orange, which tells me I have a busy link even if I am not using the 
net.
 
So why am I getting pinged by a DNS server?  Why are all the destinations 
reported by my router log points to another DNS server?

Even if I forwarded the ping to a DMZ or a safe machine, it would not find the 
machine, since I do not have any access to that network block.  My Debian 
uses DHCP to log into my ISP through my router, my windows machine's use 
static IP's setup to log into my router.

My router is a Zyxel ZyWall 2xw with 802.11b for wireless clients.   I do not 
run any web, ftp, servers, and at the moment I do not have any ports 
forwarded to any machine.  Its like a default setup with a hardware firewall 
and no ports open to the outside world.  All passwords are changed, and wep 
is changed at a reasonable time frame.  Everything works great, except I keep 
getting those recorded in my log.

I could understand if the destination was my router, or a machine under the 
subnet but it is not.  Also the source machines seem to change unlike the 
destination machine.  

That is the reason I wanted to ask all of you, I really do not know why this 
is happening.

Rthoreau
Reply to: